Controlled Query Evaluation for Known Policies by Combining Lying and Refusal

  • Joachim Biskup
  • Piero A. Bonatti


Controlled query evaluation enforces security policies for confidentiality in information systems. It deals with users who may apply background knowledge to infer additional information from the answers to their queries. For each query the correct answer is first judged by some censor and then – if necessary – appropriately modified to preserve security. In previous approaches, modification has been done uniformly, either by lying or by refusal. A drawback of lying is that all disjunctions of secrets must always be protected. On the other hand, refusal may hide an answer even when the correct answer does not immediately reveal a secret. In this paper we introduce a hybrid answer modification method that appropriately combines lying and refusal. We prove that the new method is secure under the models of known potential secrets and of known secrecies, respectively. Furthermore, we demonstrate that the combined approach can be more cooperative than uniform lying and uniform refusal, and enjoys the advantages of both.

inference control controlled query evaluation secrecy potential secret user log refusal lying reliability 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    J. Biskup, For unknown secrecies refusal is better than lying, Data and Knowledge Engineering 33 (2000) 1–23.Google Scholar
  2. [2]
    J. Biskup and P.A. Bonatti, Lying versus refusal for known potential secrets, Data and Knowledge Engineering 38 (2001) 199–222.Google Scholar
  3. [3]
    J. Biskup and P.A. Bonatti, Confidentiality policies and their enforcement for controlled query evaluation, in: Proc. of ESORICS 2002, Lecture Notes in Computer Science, Vol. 2502 (Springer, New York, 2002) pp. 39–54.Google Scholar
  4. [4]
    P.A. Bonatti, S. Kraus and V.S. Subrahmanian, Foundations of secure deductive databases, IEEE Transactions on Knowledge and Data Engineering 7(3) (1995) 406–422.Google Scholar
  5. [5]
    S. Dawson, S. De Capitani di Vimercati, P. Lincoln and P. Samarati, Minimal data upgrading to prevent inference and association attacks, in: Proc. of the 18th ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems (PODS) (1999) pp. 114–125.Google Scholar
  6. [6]
    J.W. Lloyd, Foundations of Logic Programming (Springer, Berlin, 1987).Google Scholar
  7. [7]
    X. Quian, View-based access control with high assurance, in: Proc. of the 1996 IEEE Symposium on Security and Privacy (1996) pp. 85–93.Google Scholar
  8. [8]
    J.R. Shoenfield, Mathematical Logic (Addison-Wesley, Reading, MA, 1967).Google Scholar
  9. [9]
    G.L. Sicherman, W. de Jonge and R.P. van de Riet, Answering queries without revealing secrets, ACM Transactions on Database Systems 8(1) (1983) 41–59.Google Scholar
  10. [10]
    M.E. Stickel, Elimination of inference channels by optimal upgrading, in: Proc. of the 1994 IEEE Symposium on Security and Privacy (1994) pp. 168–174.Google Scholar
  11. [11]
    T.A. Su and G. Ozsoyoglu, Controlling FD and MVD inferences in multilevel relational database systems, IEEE Transactions on Knowledge and Data Engineering 3(4) (1991) 474–485.Google Scholar

Copyright information

© Kluwer Academic Publishers 2004

Authors and Affiliations

  • Joachim Biskup
    • 1
  • Piero A. Bonatti
    • 2
  1. 1.Fachbereich InformatikUniversität DortmundDortmundGermany
  2. 2.Dipartimento di Scienze FisicheUniversità di Napoli “Federico II”NapoliItaly

Personalised recommendations